![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to krb_get_in_tkt.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / krb|
Return to krb_get_in_tkt.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / krb |
1.1 root 1: /*
2: * $Source: /usr/src/kerberosIV/krb/RCS/krb_get_in_tkt.c,v $
3: * $Author: kfall $
4: *
5: * Copyright 1986, 1987, 1988 by the Massachusetts Institute
6: * of Technology.
7: *
8: * For copying and distribution information, please see the file
9: * <mit-copyright.h>.
10: */
11:
12: #ifndef lint
13: static char *rcsid_krb_get_in_tkt_c =
14: "$Header: /usr/src/kerberosIV/krb/RCS/krb_get_in_tkt.c,v 4.20 90/06/25 20:56:45 kfall Exp $";
15: #endif /* lint */
16:
17: #include <mit-copyright.h>
18: #include <des.h>
19: #include <krb.h>
20: #include <prot.h>
21:
22: #include <stdio.h>
23: #include <strings.h>
24: #include <errno.h>
25:
26: /* use the bsd time.h struct defs for PC too! */
27: #include <sys/time.h>
28: #include <sys/types.h>
29:
30: int swap_bytes;
31:
32: /*
33: * decrypt_tkt(): Given user, instance, realm, passwd, key_proc
34: * and the cipher text sent from the KDC, decrypt the cipher text
35: * using the key returned by key_proc.
36: */
37:
38: static int decrypt_tkt(user, instance, realm, arg, key_proc, cipp)
39: char *user;
40: char *instance;
41: char *realm;
42: char *arg;
43: int (*key_proc)();
44: KTEXT *cipp;
45: {
46: KTEXT cip = *cipp;
47: C_Block key; /* Key for decrypting cipher */
48: Key_schedule key_s;
49:
50: #ifndef NOENCRYPTION
51: /* Attempt to decrypt it */
52: #endif
53:
54: /* generate a key */
55:
56: {
57: register int rc;
58: rc = (*key_proc)(user,instance,realm,arg,key);
59: if (rc)
60: return(rc);
61: }
62:
63: #ifndef NOENCRYPTION
64: key_sched(key,key_s);
65: pcbc_encrypt((C_Block *)cip->dat,(C_Block *)cip->dat,
66: (long) cip->length,key_s,key,0);
67: #endif /* !NOENCRYPTION */
68: /* Get rid of all traces of key */
69: bzero((char *)key,sizeof(key));
70: bzero((char *)key_s,sizeof(key_s));
71:
72: return(0);
73: }
74:
75: /*
76: * krb_get_in_tkt() gets a ticket for a given principal to use a given
77: * service and stores the returned ticket and session key for future
78: * use.
79: *
80: * The "user", "instance", and "realm" arguments give the identity of
81: * the client who will use the ticket. The "service" and "sinstance"
82: * arguments give the identity of the server that the client wishes
83: * to use. (The realm of the server is the same as the Kerberos server
84: * to whom the request is sent.) The "life" argument indicates the
85: * desired lifetime of the ticket; the "key_proc" argument is a pointer
86: * to the routine used for getting the client's private key to decrypt
87: * the reply from Kerberos. The "decrypt_proc" argument is a pointer
88: * to the routine used to decrypt the reply from Kerberos; and "arg"
89: * is an argument to be passed on to the "key_proc" routine.
90: *
91: * If all goes well, krb_get_in_tkt() returns INTK_OK, otherwise it
92: * returns an error code: If an AUTH_MSG_ERR_REPLY packet is returned
93: * by Kerberos, then the error code it contains is returned. Other
94: * error codes returned by this routine include INTK_PROT to indicate
95: * wrong protocol version, INTK_BADPW to indicate bad password (if
96: * decrypted ticket didn't make sense), INTK_ERR if the ticket was for
97: * the wrong server or the ticket store couldn't be initialized.
98: *
99: * The format of the message sent to Kerberos is as follows:
100: *
101: * Size Variable Field
102: * ---- -------- -----
103: *
104: * 1 byte KRB_PROT_VERSION protocol version number
105: * 1 byte AUTH_MSG_KDC_REQUEST | message type
106: * HOST_BYTE_ORDER local byte order in lsb
107: * string user client's name
108: * string instance client's instance
109: * string realm client's realm
110: * 4 bytes tlocal.tv_sec timestamp in seconds
111: * 1 byte life desired lifetime
112: * string service service's name
113: * string sinstance service's instance
114: */
115:
116: krb_get_in_tkt(user, instance, realm, service, sinstance, life,
117: key_proc, decrypt_proc, arg)
118: char *user;
119: char *instance;
120: char *realm;
121: char *service;
122: char *sinstance;
123: int life;
124: int (*key_proc)();
125: int (*decrypt_proc)();
126: char *arg;
127: {
128: KTEXT_ST pkt_st;
129: KTEXT pkt = &pkt_st; /* Packet to KDC */
130: KTEXT_ST rpkt_st;
131: KTEXT rpkt = &rpkt_st; /* Returned packet */
132: KTEXT_ST cip_st;
133: KTEXT cip = &cip_st; /* Returned Ciphertext */
134: KTEXT_ST tkt_st;
135: KTEXT tkt = &tkt_st; /* Current ticket */
136: C_Block ses; /* Session key for tkt */
137: int kvno; /* Kvno for session key */
138: unsigned char *v = pkt->dat; /* Prot vers no */
139: unsigned char *t = (pkt->dat+1); /* Prot msg type */
140:
141: char s_name[SNAME_SZ];
142: char s_instance[INST_SZ];
143: char rlm[REALM_SZ];
144: int lifetime;
145: int msg_byte_order;
146: int kerror;
147: unsigned long exp_date;
148: char *ptr;
149:
150: struct timeval t_local;
151:
152: unsigned long rep_err_code;
153:
154: unsigned long kdc_time; /* KDC time */
155:
156: /* BUILD REQUEST PACKET */
157:
158: /* Set up the fixed part of the packet */
159: *v = (unsigned char) KRB_PROT_VERSION;
160: *t = (unsigned char) AUTH_MSG_KDC_REQUEST;
161: *t |= HOST_BYTE_ORDER;
162:
163: /* Now for the variable info */
164: (void) strcpy((char *)(pkt->dat+2),user); /* aname */
165: pkt->length = 3 + strlen(user);
166: (void) strcpy((char *)(pkt->dat+pkt->length),
167: instance); /* instance */
168: pkt->length += 1 + strlen(instance);
169: (void) strcpy((char *)(pkt->dat+pkt->length),realm); /* realm */
170: pkt->length += 1 + strlen(realm);
171:
172: (void) gettimeofday(&t_local,(struct timezone *) 0);
173: /* timestamp */
174: bcopy((char *)&(t_local.tv_sec),(char *)(pkt->dat+pkt->length), 4);
175: pkt->length += 4;
176:
177: *(pkt->dat+(pkt->length)++) = (char) life;
178: (void) strcpy((char *)(pkt->dat+pkt->length),service);
179: pkt->length += 1 + strlen(service);
180: (void) strcpy((char *)(pkt->dat+pkt->length),sinstance);
181: pkt->length += 1 + strlen(sinstance);
182:
183: rpkt->length = 0;
184:
185: /* SEND THE REQUEST AND RECEIVE THE RETURN PACKET */
186:
187: if (kerror = send_to_kdc(pkt, rpkt, realm)) return(kerror);
188:
189: /* check packet version of the returned packet */
190: if (pkt_version(rpkt) != KRB_PROT_VERSION)
191: return(INTK_PROT);
192:
193: /* Check byte order */
194: msg_byte_order = pkt_msg_type(rpkt) & 1;
195: swap_bytes = 0;
196: if (msg_byte_order != HOST_BYTE_ORDER) {
197: swap_bytes++;
198: }
199:
200: switch (pkt_msg_type(rpkt) & ~1) {
201: case AUTH_MSG_KDC_REPLY:
202: break;
203: case AUTH_MSG_ERR_REPLY:
204: bcopy(pkt_err_code(rpkt),(char *) &rep_err_code,4);
205: if (swap_bytes) swap_u_long(rep_err_code);
206: return((int)rep_err_code);
207: default:
208: return(INTK_PROT);
209: }
210:
211: /* EXTRACT INFORMATION FROM RETURN PACKET */
212:
213: /* get the principal's expiration date */
214: bcopy(pkt_x_date(rpkt),(char *) &exp_date,sizeof(exp_date));
215: if (swap_bytes) swap_u_long(exp_date);
216:
217: /* Extract the ciphertext */
218: cip->length = pkt_clen(rpkt); /* let clen do the swap */
219:
220: if ((cip->length < 0) || (cip->length > sizeof(cip->dat)))
221: return(INTK_ERR); /* no appropriate error code
222: currently defined for INTK_ */
223: /* copy information from return packet into "cip" */
224: bcopy((char *) pkt_cipher(rpkt),(char *)(cip->dat),cip->length);
225:
226: /* Attempt to decrypt the reply. */
227: if (decrypt_proc == NULL)
228: decrypt_proc = decrypt_tkt;
229: (*decrypt_proc)(user, instance, realm, arg, key_proc, &cip);
230:
231: ptr = (char *) cip->dat;
232:
233: /* extract session key */
234: bcopy(ptr,(char *)ses,8);
235: ptr += 8;
236:
237: if ((strlen(ptr) + (ptr - (char *) cip->dat)) > cip->length)
238: return(INTK_BADPW);
239:
240: /* extract server's name */
241: (void) strcpy(s_name,ptr);
242: ptr += strlen(s_name) + 1;
243:
244: if ((strlen(ptr) + (ptr - (char *) cip->dat)) > cip->length)
245: return(INTK_BADPW);
246:
247: /* extract server's instance */
248: (void) strcpy(s_instance,ptr);
249: ptr += strlen(s_instance) + 1;
250:
251: if ((strlen(ptr) + (ptr - (char *) cip->dat)) > cip->length)
252: return(INTK_BADPW);
253:
254: /* extract server's realm */
255: (void) strcpy(rlm,ptr);
256: ptr += strlen(rlm) + 1;
257:
258: /* extract ticket lifetime, server key version, ticket length */
259: /* be sure to avoid sign extension on lifetime! */
260: lifetime = (unsigned char) ptr[0];
261: kvno = (unsigned char) ptr[1];
262: tkt->length = (unsigned char) ptr[2];
263: ptr += 3;
264:
265: if ((tkt->length < 0) ||
266: ((tkt->length + (ptr - (char *) cip->dat)) > cip->length))
267: return(INTK_BADPW);
268:
269: /* extract ticket itself */
270: bcopy(ptr,(char *)(tkt->dat),tkt->length);
271: ptr += tkt->length;
272:
273: if (strcmp(s_name, service) || strcmp(s_instance, sinstance) ||
274: strcmp(rlm, realm)) /* not what we asked for */
275: return(INTK_ERR); /* we need a better code here XXX */
276:
277: /* check KDC time stamp */
278: bcopy(ptr,(char *)&kdc_time,4); /* Time (coarse) */
279: if (swap_bytes) swap_u_long(kdc_time);
280:
281: ptr += 4;
282:
283: (void) gettimeofday(&t_local,(struct timezone *) 0);
284: if (abs((int)(t_local.tv_sec - kdc_time)) > CLOCK_SKEW) {
285: return(RD_AP_TIME); /* XXX should probably be better
286: code */
287: }
288:
289: /* initialize ticket cache */
290: if (in_tkt(user,instance) != KSUCCESS)
291: return(INTK_ERR);
292:
293: /* stash ticket, session key, etc. for future use */
294: if (kerror = save_credentials(s_name, s_instance, rlm, ses,
295: lifetime, kvno, tkt, t_local.tv_sec))
296: return(kerror);
297:
298: return(INTK_OK);
299: }
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.